The number of breaches that have been reported to ASIC has been much lower than the regulator expected and it will strengthen compliance in response.
On Thursday morning, the corporate regulator released a report on the first nine months of the breach reporting regime which found only six per cent of the licensee population lodged a report.
Some 74 per cent of all reports were lodged by just 23 Australian financial services or credit licensees.
“[It] suggests that some licensees may not have in place the systems and processes required to detect and report non-compliance,” the regulator said.
ASIC commissioner Sean Hughes said in a media release accompanying the report that licensees should be aware of their obligations and fully comply with the regime which has now been in place for a year.
“ASIC will be undertaking a number of activities to strengthen compliance with the regime,” Hughes said.
Of the 8,829 reports, most related to credit and general insurance with financial advice only accounting for 878 in total. Breach reporting was introduced in the suite of regulatory forms a year ago which has become known as ‘Red October’.
In May, a report from Gadens and Lawcadia found the industry was struggling with breach reporting which ASIC acknowledged three weeks later at the SIAA Conference.
ASIC announced in August it would engage with Treasury and the industry over how the system operates and can be improved.
Size matters
Assured Support managing director Sean Graham said there was some frustration from the bigger licensees who feel the results reflected poorly on them despite doing the right thing.
“ASIC is suggesting in their report they would’ve expected a higher level of breaches from some of the smaller entities,” Graham said.
“But smaller businesses are closer to all the activities and what is going on. The chances of those significant breaches coming up and needing to be reported are far less.”
Gadens partner Liam Hennessy said the advice industry in a tricky position because smaller licensees have the same obligations as the larger ones but without the same resources.
“They don’t necessarily have the same infrastructure and resourcing for legal and compliance support, systems and controls,” Hennessy said.
He added that despite complexity still being part of the regime, complacency has crept in.
“ASIC is sending a clear message here that, much like design and distribution obligations, it’s not happy with the level of compliance across the industry with breach reporting and it will start to focus on that.”
In the interest of time
The regulator was also unhappy with was how long it took licensees to report breaches and how remediation has been handled.
In 18 per cent of the reports received, it took the licensee more than one year to identify and commence an investigation into an issue after it had first occurred.
Staff negligence or error was identified as the sole root cause in 55 per cent of reports, which ASIC described as a “high proportion”, and this included where the licensee had reported there was previously similar breaches.
ASIC said it was concerned licensees may not be adequately identifying and addressing the underlying root causes for breaches, such as by determining the underlying reasons for repeated staff negligence or error.
Some 82 per cent of all reports related to financial impacts for customers with 23 per cent being related to financial loss.
The total customer financial loss identified to date across all reports received was approximately $368.5 million.
In four per cent of reports that identified customer financial loss, licensees indicated they did not intend to compensate customers. The report also found that remediation took too long to complete and within 236 reports (12 per cent of the 1,952 reports involving compensation to customers), it took over a year to finalise.
Further review
The report and ASIC’s comments about taking more proactive enforcement came on the same day the Senate announced it had commissioned a new inquiry into the regulator.
In a media release on Thursday, Senator Andrew Bragg criticised the regulator for not taking enough enforcement action, echoing similar comments he made in a recent hearing about the Compensation Scheme of Last Resort.
“With AFCA’s significantly expanded mandate under the proposed compensation scheme, ASIC will be incentivised to undertake even less law enforcement,” Bragg said.
“There will be a reduced incentive for ASIC to enforce the law as it will be able to lean on redress schemes for consumers where it fails to enforce the law.”
Bragg said it was important to review ASIC’s enforcement record, which included recent decisions regarding Mayfair 101 and Commonwealth Bank/CFS that have gone against the regulator.
ASIC announced this week it would appeal the CBA/CFS conflicted remuneration decision.
“ASIC must get better at its one job of law enforcement, or the integrity of our financial system is at risk,” Bragg said.